What is the cost of data breaches to businesses? Just how much do data protection breaches cost? What’s all the fuss about?
On July 27, 2022, IBM Security published its annual report, ‘Cost of a Data Breach Report’, and its findings justify businesses’ concerns and motivations to ensure compliance with data protection and information security laws.
It is estimated that the global average cost of a data breach has reached an all-time high: $4.35 million – meaning costs have increased by nearly 13 per cent over these past two years alone.
As a result, the report finds, it is the consumers who ultimately bear the consequences of these breaches since their data is at risk, and 60 per cent of businesses are said to have raised their prices as a consequence to the data breach.
It is a fact well-known that the GDPR and information security laws have created a high standard of importance for businesses when it comes to processing data. However, it is not just the GDPR that has reinforced a culture of strong data protection principles, but also the increased risks of criminal cyber security attacks, human error and system glitches which cause data breaches.
The GDPR has tasked the data controller – and therefore, businesses – to not only ensure compliance with the law but also to be able to show compliance and prove compliance. Failure to do so would result in significant fines and exposure to litigation.
So, how can you ensure that your business is on the ball?
Businesses’ first step is to familiarise themselves with data protection legislation and engage with privacy professionals and lawyers to enact a holistic strategy and framework.
The benefits of having a Privacy Program not only includes compliance with GDPR and the reduction of risk, but it also enhances the company’s public trust and brand. Therefore, your business should have an organisational privacy vision which encapsulates all aspects of data protection and security across all departments.
Businesses, as data controllers, must have clear data maps which record the personal information collected and processed, while also having a strong understanding of the privacy and data protection laws and regulations which are in-scope to the organisation.
This can only be done with the collaboration of all departments within the business – there is no compliance unless all departments within an organisation are included in the privacy framework and strategy.
How can you ensure all departments are in line? Including all departments in the company-wide frameworks and strategy is only the first step in ensuring compliance.
Data protection should be integrated and embedded in every aspect of the running of any business, company and organisation- Luana Farrugia
The privacy professionals will need to determine who collects and uses personal information, what types of personal information are held company-wide, where the data is stored and for how long, is data transferred to third parties – if so, to whom and where?
Having clear records of data processing would indicate that your business is serious about protecting its clients’ data and safeguarding their rights at law.
Another crucial pillar to privacy management is having the appropriate technical and environmental practices in place. From ensuring that only authorised personnel have access to physical cabinets containing personal information, to having two-factor authentications in place, to installing the right software across all the business’ computer network, the data controller must contemplate every aspect of data processing.
Are your tech programs compliant? Can your data processors, including payroll companies and all external third-party vendors prove and match your level of desired concern and protection?
While a particular tech privacy product is not enough to be compliant, these products together with a robust tech security system may be the missing piece your business has been looking for to complete its compliance requirements.
To achieve compliance, companies and organisations are also recognising the vital importance of training and informing their staff of privacy policies and the principles of the GDPR. It is the employer’s duty to ensure that employees processing personal information are aware of the company’s policies, and what data protection entails.
Employees should also be trained to recognise data access requests and identify data incidents and data breaches. Moreover, since data breach incidents expose the business to legal exposure and liability, an action plan detailing the company’s approach and response plan is crucial to minimise further damage and to minimise risks and liability.
One must always keep in mind that under the GDPR, certain data breaches must be immediately reported to the Information and Data Protection Commissioner without delay, usually within 72 hours.
The above is but a small portion of how to ensure your business is on the ball and is adequately protected and compliant with the law. Despite information privacy and security programs are often not revenue-generating, they help get a business compliant with the law, and reduce the risks of high fines as a result of data incidents.
Data protection should be integrated and embedded in every aspect of the running of any business, company and organisation.
Luana Farrugia is an associate at Valletta Legal.